Sebastián Revuelta is a security engineer at Thales Alenia Space with a history of working in security, sales, and customer success management. He talks about all things application security, the role of presales and sales engineers in connecting cybersecurity with customers, what the STRIDE threat modelling framework is and its role in application security, and more in this exclusive interview with ManageEngine.
For many years, I worked on the quality aspects of software, which involved dealing with performance, reliability, maintenance, and so on. Since 2015, I've worked in roles that deal with software security. I made this shift as I understood the importance of cybersecurity: one vulnerability is all it takes to provoke a real disaster in a company.
As an application security engineer, I take care of the security aspects of software development. My role involves running different types of security scans: static analysis, dynamic analysis, container analysis, and more. One of my most important responsibilities though is resolving issues. I help prioritize vulnerabilities and help the team fix them.
Being able to deliver secure software is crucial to avoid issues in production. It is one important step in the chain, but not the only one: network traffic, infrastructure scans, cloud security, and security policies—and there are many other security aspects to take care of! Cybersecurity is an amazing but huge world to work in.
SQL injection, cross-site scripting, and hard coding credentials (a practice of embedding credentials into the source code of an executable) are some of the issues our scans commonly detect.
We need to avoid using default credentials. It is crucial to change them regularly. The username and passwords admin/admin or root/root are the first things an attacker will try.
Tech companies are growing in Spain, and so is the adoption of advanced technology. This goes hand-in-hand with an increase in the number of attacks that occur. It is important to take measures on all fronts and layers: network, infrastructure, cloud, application, and database. Dealing with data also means that organizations need to encrypt sensitive information and carry out periodic backups to enable easy restoration of information in case of an attack.
Sometimes as security engineers, we can get really technical, and this can confuse customers. We need to speak the "same language" to avoid this. Imagine saying this to a non-technical customer:
"Hey, customer, you have one cross site scripting in the frontend that is affecting your database layer due to a spring misconfiguration."
It is so much better to tell a customer something like this:
"In the application X, which is important for your business, there is a potential weakness in the main form, and an attacker can exploit it. It is important to fix it soon, as it has a big impact and an easy solution."
Presales or support security engineers play the role of linking sales and technical staff with customers.
I've always felt that threat modelling is amazing and that there is a whole lot to be discovered in the field. There are several experts, like Adam Shostack, who teach us how to decompose an application to identify threats. And this is the main goal of any threat modelling activity: Identifying possible threats.
Shostack suggests beginning a threat modelling activity by asking oneself four important questions:
Asking oneself "what can go wrong?" is crucial, as it will give all the potential threats for any application. To achieve that, he proposes the technique: STRIDE, which consists of:
With these threats in mind, we could review our design and check if our application is likely to be a target for cyberattacks.
Human beings are the likely target for any cyberattack in an organization. Social engineering attacks like phishing will always exist and we need to anticipate and prepare ourselves for them. I think there are two main ways to reduce the risk: improve our technology to detect phishing automatically (not always easy, as there are many sophisticated attacks) and train people to be aware of these threats.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.